In the third quarter of 2015, small and medium-sized businesses (SMBs) accounted for 45 percent of the incidents involving PoS malware, and it's not difficult to explain. SMBs hit the sweet spot of being easy and lucrative targets compared to bigger companies with more sophisticated security measures. Trend Micro researchers recently found a botnet that looks for PoS systems within networks. Tagged as Black Atlas—as a nod to BlackPOS, the malware primarily used—the operation doesn’t specifically target SMBs, but they're likely to be the most affected.
Unfortunately, malware isn't the only threat that affects card payment systems. Cybercriminals have another way of getting their hands on payment data through skimming.
Skimming involves installing a device called a skimmer in a merchant’s card payment system to collect payment card data. Some SMBs unknowingly buy PoS devices sold for cheap in underground markets that have already been compromised even before it gets used. Once these are installed as part of a retailer's payment system, it can collect customers' payment data when a card is swiped at the till during a transaction.
Modified PoS devices can be found being peddled on underground forums. Our research on the Chinese cybercriminal underground activities shows that skimmers can also feature SMS-notification, allowing cybercriminals to instantly receive stolen data via SMS the moment the tampered devices are used. This way, they won’t even need physical access to collect information from the devices.
This year, US merchants have been adopting EMV payment technology, which addresses some of the weaknesses that have facilitated PoS malware attacks. While chip-and-PIN cards can help curb card fraud by adding a number of verification processes, it's not a guaranteed solution since a skimmer can still access data. Some PoS skimmers have also been found featuring PIN pad skimmers, essentially busting the security layer provided by personal identification numbers on newer payment card tech.